A possible workaround is to use an SSH key which "forces" a command of "sudo /bin/login".
By doing so, one would first authenticate with the SSH key (without password), and then need to authenticate through the "regular" PAM stack (password from LDAP).
I haven't tried the configuration myself, but it's worth a shot.

Best regards,
Filip Fafara

W dniu 01.09.2010 01:35, Robert Hajime Lanning pisze:
> ssh is not written to do that.
>
> It authorizes on first successful authentication.
>
> The closest thing you can do is distribute PKCS#11 compatible hardware
> tokens and configure the ssh client to use the key from there.
>
> This will implement two factor authentication.
> 1) the token (the key never leaves the token)
> 2) password authentication to the token to unlock access to use the key.
>
> You do loose the LDAP auth in doing this.
>
> 2010/8/31 Ð?Ð»Ñ?Ñ Ð¡ÐºÐ¾Ñ?Ð¸Ðº <ilya (at) skorik (dot) me [email concealed]>:
>> Approximately so.
>>
>> A problem that people from an enterprise network have access to the
>> server. And there is Windows in their network. Recently the virus has
>> stolen passwords at one of managers, has entered on the one of servers
>> and has download the bad software.
>>
>> I would like will restrict access in case of simple larceny of
>> passwords by viruses, but I am not able to do it standard manner.
>> Because from server side all managers come from one ip addresses. Also
>> I don't want to setup authorization through a public key. Since it
>> isn't compatible with ldap authorization on the server. And managers
>> can come on the server without entering any passwords.
>>
>> All that I want is a mandatory presence of a public key and standard
>> authorization with request of the password which is stored on the
>> server.